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Introduction 


Collaborative 
Approach  to 
Developing 
Biometrics 
Standards 

By  John  Woodward  Jr. 


DoD  has  a  growing  need  to  control  access  to  its  many  as¬ 
sets  both  in  times  of  war  and  in  times  of  peace.  Similarly, 
DoD  organizations  must  always  be  ready  to  identify 
“friend  or  foe.”  This  requirement  is  heightened  in  the 
global  war  on  terrorism,  where  the  enemy  has  demon¬ 
strated  its  ability  to  use  sophisticated  methods  to  exploit 
flaws  in  current  identity  management  systems. The  terror¬ 
ist  attacks  of  September  11,  2001,  reinforced  the  need  for 
technologies  that  can  enhance  homeland  security,  force 
protection,  and  counterterrorism  measures. 

Biometric  technologies  may  seem  exotic,  but  their  use  is 
becoming  increasingly  common.  In  2001,  MIT  Technology 
Review  named  biometrics  as  one  of  the  “top  ten  emerging 
technologies  that  will  change  the  world.”  DoD  recognizes 
the  fast-paced  developments  in  biometric  technology,  and 
the  great  need  for  interoperability  in  DoD  systems.  Ac¬ 
cordingly,  DoD,  through  its  Biometrics  Management  Of¬ 
fice  (BMO),  has  developed  a  collaborative  approach  for 
the  development  of  DoD  biometrics  standards.  This  ap¬ 
proach  will  enable  DoD  to  guide  biometrics  standards 
development  to  ensure  that  the  standards  promote  bio¬ 
metric  technology’s  interoperability  and  support  for  the 
joint  warfighter. 

Compared  with  other,  more  established  types  of  infor¬ 
mation  technology,  the  commercial  biometrics  industry  is 
still  relatively  new  and  evolving.  The  biometric  industry 
has  achieved  successes  in  the  growth  of  its  capabilities,  but 
from  DoD  s  perspective,  industry’s  efforts  have  sometimes 
resulted  in  competing,  redundant,  or  proprietary-based 
capabilities. 

In  recent  years,  biometric  technology  has  matured  and 
become  more  viable  for  DoD  uses.  DoD  endeavors  to 
promote  the  efficiency  of  biometric  technology  develop¬ 
ment  through  the  use  of  biometrics  standards  to  prevent 
DoD  from  building  stovepipes,  to  discourage  developers 
from  continually  “reinventing  the  wheel,”  and  to  encour¬ 
age  DoD  organizations  to  use  biometric  technologies  that 
contribute  to  joint  warfighter  capabilities. 
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Coordinating  Biometric  Activities 
within  DoD  and  Other  Federal  Agencies 

On  August  25,  2003,  Deputy  Secretary  of  Defense  Paul 
Wolfowitz  promulgated  his  “Department  of  Defense 
(DoD)  Biometrics  Enterprise  Vision,”  which  states  that, 
“by  2010,  biometrics  will  be  used  to  an  optimal  extent  in 
both  classified  and  unclassified  environments  to  improve 
security  for  physical  and  logical  access  control.”  To  sup¬ 
port  this  vision,  he  directed  the  BMO  to  “ensure  that  a 
scalable  biometrics  component  of  the  Global  Information 
Grid  (GIG)  infrastructure  is  in  place,  and  that  the  appro¬ 
priate  standards,  interoperability  tools,  testing  frameworks, 
and  approved  product  validations  are  available  to  assist  the 
DoD  community  in  using  this  technology.” 

As  part  of  its  directive  and  in  keeping  with  the  guidance 
from  the  Secretary  of  the  Army  (DoD’s  Executive  Agent 
for  biometric  technologies),  via  the  Army  Chief  Informa¬ 
tion  Officer  (CIO),  who  has  oversight  responsibility,  the 
BMO  established  the  BMO  Standards  Working  Group  to 
coordinate  biometrics  standards  activities  within  DoD. 
The  BMO  Standards  Working  Group  membership  in¬ 
cludes  the  Defense  Information  Systems  Agency,  National 
Security  Agency,  U.S.  Air  Force,  U.S.  Navy,  U.S.  Army, 
Biometrics  Fusion  Center  (BMO’s  technical  arm),  Na¬ 
tional  Institute  of  Standards  and  Technology  (NIST),  and 
others. 

One  of  the  BMO  Standards  Working  Group’s  major  ef¬ 
forts  in  2003—2004  has  been  the  development  of  DoD 
Biometrics  Standards  Development  Recommended  Approach. 
This  document  details  a  recommended  approach  to  the 
identification  of,  participation  in,  and  development  of 
biometrics  standards.  Various  DoD  and  other  federal 
agencies  and  oversight  bodies  are  reviewing  this  docu¬ 
ment.  If  approved,  the  document  will  be  the  first  concrete 
step  toward  coordinating  the  development  of  biometrics 
standards  with  other  federal  agencies. 

Participating  in  National  and  International  Standards 
Organizations 

The  National  Technology  Transfer  and  Advancement  Act 
of  1995  (Public  Law  104-113)  requires  federal  agencies  to 


adopt  commercial  standards,  particularly  those  developed 
by  standards  developing  organizations,  wherever  possible, 
in  lieu  of  creating  proprietary,  nonconsensus  standards. 
Through  active  participation  in  national  and  international 
standards  organizations,  the  DoD  BMO  exerts  its  influ¬ 
ence  to  facilitate  and  promote  DoD  interests  in  the  bio¬ 
metrics  arena.  As  a  result,  the  standards  developed  through 
these  national  and  international  organizations  will  better 
reflect  and  support  the  interests  of  DoD  biometrics- 
related  activities. 

In  the  United  States,  the  primary  body  responsible  for 
developing  national  biometrics  standards  is  the  Ml  bio¬ 
metrics  standards  committee  of  the  International  Com¬ 
mittee  for  Information  Technology  Standards  (INCITS). 
INCITS  is  the  recognized  standards  development  organi¬ 
zation  for  information  technology  within  the  United 
States  and  operates  under  the  rules  of  the  American  Na¬ 
tional  Standards  Institute  (ANSI).  It  does  not  restrict 
membership  and  attracts  participants  in  its  technical  work 
from  13  countries.  Mr.  Fernando  Podio  of  NIST,  an  advi¬ 
sor  to  the  BMO  director  and  a  member  of  the  BMO 
Standards  Working  Group,  chairs  the  INCITS  Ml  com¬ 
mittee.  The  Ml  committee,  established  in  November 
2001,  is  one  of  several  standards  committees  that  develop 
U.S.  national  commercial  standards  related  to  information 
technology. 

Two  other  INCITS  committees,  B10  and  T4,  also  are 
involved  in  biometrics-related  issues.  The  B10  committee 
covers  identification  cards  and  related  devices  (for  exam¬ 
ple,  issues  related  to  smart  cards);  the  T4  committee  covers 
security  techniques,  which  include  a  broad  range  of  data 
security  issues  such  as  the  security  of  biometric  data.  In 
addition,  another  ANSI-chartered  organization,  X9,  is  re¬ 
sponsible  for  developing,  establishing,  publishing,  main¬ 
taining,  and  promoting  standards  for  the  financial  services 
industry. 

ANSI  is  the  official  representative  to  the  International 
Organization  for  Standardization  (ISO),  the  world’s  lead¬ 
ing  standards  body.  Under  ISO,  the  counterpart  biomet- 
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rics  standards  body  to  Ml  at  the  international  level  is 
SC  37  of  the  ISO/International  Electrotechnical  Com¬ 
mission  Joint  Technical  Committee  1  (JTC  1).  Mr.  Fer¬ 
nando  Podio  of  NIST  also  chairs  JTC  1  SC  37,  which  is 
the  committee  responsible  for  the  development  of  inter¬ 
national  biometrics  standards.  INCITS  Ml  represents  the 
United  States  in  JTC  1  SC  37. 

During  a  recent  BMO  Standards  Working  Group  meet¬ 
ing,  Mr.  Podio  stated  that  “the  BMO  s  collaborative  ap¬ 
proach  in  the  development  of  national  and  international 
biometrics  standards  is  an  example  to  imitate.  Taking  a 
proactive  role  in  the  development  of  these  standards  and 
seeking  coordination  with  other  government  agencies 
and  the  industry  will  support  DoD’s  decision  of  adopting 
open-system-based  biometric  technology  solutions.”  Mr. 
Podio  also  said  that  “standards-based  enterprise  systems 
and  applications  are  more  likely  to  be  interoperable,  scala¬ 
ble,  usable,  reliable,  secure,  as  well  as  more  economical  to 
the  user  than  proprietary  systems.” 

DoD’s  coordination  with  the  NIST  program  in  acceler¬ 
ating  the  development  of  national  and  international  bio¬ 
metrics  standards,  DoD’s  related  conformity  assessment 
and  interoperability  efforts,  and  other  U.S.  government 
initiatives  will  support  DoD’s  goals  to  provide  high-per¬ 
formance,  interoperable,  and  scalable  biometrics  solutions 
to  the  DoD  community. 

Figure  1  shows  the  relationship  between  the  U.S.  stan¬ 
dards  bodies  working  on  biometric  technology  and  their 
international  counterparts.  Currently,  the  BMO  actively 
participates  in  INCITS  Ml,  T4,  BIO,  X9,  and  JTC  1 
SC  37  (through  INCITS  Ml)  on  behalf  of  DoD  interests. 
Recent  contributions  to  INCITS  Ml  include 

I  providing  the  coeditor  for  a  project  that  is  devel¬ 
oping  a  conformance  testing  methodology  for  a 
Biometrics  Application  Programming  Interface 
(BioAPI)  specification  within  SC  37  and 

I  providing  key  technical  contributions  to  this  and 
other  projects  in  SC  37’s  program  of  work  (e.g., 
data  formats  and  biometric  performance  testing). 


FIGURE  1 .  U.S.  National  Standards  Bodies  for  Biometrics  and  Their 
International  Counterparts 
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Within  INCITS  Ml,  the  BMO  is  also  developing  a 
standard:  “DoD  Application  Profile — Standards  Guidance 
for  DoD  Implementation  of  Biometrics.”  This  standard’s 
development  will  include  capturing  DoD  best  practices 
for  biometrics  and  facilitating  an  increase  of  interoper¬ 
ability  and  data  interchange  in  DoD  deployments  of  bio¬ 
metrics. 

Status  of  Biometrics  Standards  Development 

The  BMO  has  developed  a  conceptual  model  to  catego¬ 
rize  the  types  of  standards  needed  to  promote  biometric 
technology’s  interoperability  and  support  for  the  joint 
warfighter  and  to  clarify  what  biometrics  standards  exist 
and  what  standards  are  under  development  or  planned. 
The  model  categorizes  the  standards  as  follows: 

I  Biometrics  data  format  standards 
▲  Image  standards 
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FIGURE  2.  Conceptual  Model  of  Biometrics  Standards 
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▲  Template  standards 

▲  File  format  standards 
I  Interface  standards 

I  Application  profile  standards 
I  Performance  testing  standards 
I  Conformance  testing  methodology  standards. 


operation.  This  cooperation  not  only  will  advance  the  de¬ 
velopment  of  the  necessary  standards,  but  will  accelerate 
the  establishment  of  an  environment  of  interoperability. 


Figure  2  depicts  the  model  and  indicates  the  status  of 
the  standards. 

In  summary,  a  significant  amount  of  work  on  developing 
biometrics  standards  is  well  under  way.  The  BMO  must 
encourage  and  facilitate  interoperability.  With  this  goal  in 
mind,  DoD  Biometrics  Standards  Development  Recommended 
Approach  represents  a  solid  starting  point  for  DoD’s  com¬ 
prehensive,  coordinated  approach  to  DoD  use  of  biomet¬ 
rics.  Going  forward,  the  BMO  hopes  that  this  approach 
will  serve  as  a  framework  for  biometrics  standards  in  DoD 
and  receive  consideration  from  other  U.S.  federal  agencies 
in  their  implementation  of  biometric  technology.  Ideally, 
U.S.  government  agencies  should  work  together  for  a  col¬ 
laborative  U.S.  government  strategic  approach,  leveraging 
the  resources  of  participating  agencies  in  the  spirit  of  co¬ 
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About  DoD  Biometrics^ 

In  wartime,  DoD’s  dependence  on  information  as  a  tactical  and  strategic  asset  requires  DoD  to  carefully  control  its  net¬ 
works  and  information  systems.  From  logistics  flows  to  intelligence  on  enemy  forces,  DoD  depends  on  confining  access  to 
its  data  to  authorized  personnel.  This  need  for  access  control  is  also  critical  at  the  special  operations  and  weapon  system 
level,  where,  for  example,  a  U.S.  military  operative  deep  in  enemy  territory  must  quickly  and  securely  communicate  action¬ 
able  intelligence  back  to  other  units. 

Access  control  issues  are  important  to  the  peacetime  DoD  because  improving  the  efficiency  of  operations,  including  con¬ 
trolling  access  to  installations,  facilities,  computer  systems,  and  networks,  depencf^ml^and  accurate  identification.  DoD 
also  operates  a  vast  set  of  human  resource  services  involving  health  care,  retiree  and  dependent  benefits,  and  troop  sup¬ 
port  services.  These  services  create  the  need  for  identity  assurance  to  prevent  fraud  and  abuse. 

Congress,  the  White  House,  and  DoD  leadership  recognize  that  biometrics,  or  automatic  recognition  of  a  person  using  dis¬ 
tinguishing  traits,  can  be  an  enabling  technology  to  provide  better  security  through  identity  assurance. 

Biometric  systems  take  identity  assurance  beyond  the  basic  “something  you  have”  (e.g.,  a  token  badge)  and  “something 
you  know”  (e.g.,  user  name  and  password),  to  “something  you  are” — a  biometric.  Biometric-based  identity  assurance  sys¬ 
tems  rely  on  physical  or  behavioral  characteristics — such  as  fingerprints,  hand  geometry,  iris  patterns,  or  signature  verifi¬ 
cation — that  are  distinctive  to  individuals  and  can  be  measured  to  ensure  that  a  person’s  identity  is  accurately  determined. 

The  association  between  an  individual  and  a  “trusted  identity”  is  the  foundation  for  identity  management.  A  trusted  identity 
is  something  that  proves  beyond  a  doubt  that  you  are  who  you  say  you  are  (your  identity  has  been  “vetted”)  and  that  an¬ 
other  person  cannot  “assume”  your  identity  or  masquerade  as  you  (your  identity  has  been  “fixed”).  Identity  management  is 
the  process  that  creates  and  maintains  the  use  of  trusted  identity. 

With  the  vetting  and  fixing  of  a  trusted  identity,  identity  management  can  be  further  associated  with  a  set  of  assigned  per¬ 
missions  and  access  rights.  Before  the  information  age,  DoD  faced  its  greatest  identity  challenge  in  the  area  of  physical  ac¬ 
cess  control.  However,  the  exponential  growth  and  use  of  information  technology  throughout  DoD  has  dramatically 
increased  the  security  challenge  for  logical  access  control,  of  which  trusted  identity  is  essential. 

No  one  is  more  aware  of  this  challenge  than  Army  CIO  LTG  Steven  Boutelle,  who  has  oversight  responsibility  for  DoD  bio¬ 
metrics.  Borrowing  from  the  Army  slogan,  LTG  Boutelle  seeks  to  make  biometrics  “ready  and  relevant”  for  DoD.  He  empha¬ 
sized  his  guidance  in  his  presentation  to  the  September  2003  Biometric  Consortium  Conference:  “Introducing  biometric 
technologies  into  the  DoD  is  not  enough — they  must  be  part  of  an  integrated,  interoperable,  DoD-wide  enterprise  solution, 
in  coordination  with  other  U.S.  Government  initiatives.” 

At  the  same  conference,  LTG  Boutelle  also  made  clear  his  view  that  standards  development  work  should  be  one  of  the 
BMO’s  highest  priorities.  Without  comprehensive  standards  in  place,  DoD  runs  the  risk  of  creating  insular,  fragmented,  and 
expensive  biometric  “fiefdoms”  that  will  not  be  able  to  share  data  or  communicate  with  one  another.  Such  an  approach  is 
bad  for  DoD  and  a  detriment  to  national  security. 


